Accounts

It seems that scientists at University of Washington in Seattle have managed to encode malware into genomic data,
allowing them to gain full access to a computer being used to analyze
the data. While this may be a highly contrived attack scenario, it does
ask the question whether we pay sufficient attention to data-driven
exploits, especially where the data is instrument-derived. What other
systems could be vulnerable to a tampered raw data source? Perhaps
audio and RF analysis systems?

MIT Technology Review reports: "To carry out the hack, researchers led
by Tadayoshi Kohno and Luis Ceze encoded malicious software in a short
stretch of DNA they purchased online. They then used it to gain 'full
control' over a computer that tried to process the genetic data after it
was read by a DNA sequencing machine. The researchers warn that hackers
could one day use faked blood or spit samples to gain access to
university computers, steal information from police forensics labs, or
infect genome files shared by scientists. To make the malware, the team
translated a simple computer command into a short stretch of 176 DNA
letters, denoted as A, G, C, and T. After ordering copies of the DNA
from a vendor for $89, they fed the strands to a sequencing machine,
which read off the gene letters, storing them as binary digits, 0s and
1s. Yaniv Erlich, a geneticist and programmer who is chief scientific
officer of MyHertige.com, a genealogy website, says the attack took
advantage of a spill-over effect, when data that exceeds a storage
buffer can be interpreted as a computer command. In this case, the
command contacted a server controlled by Kohno's team, from which they
took control of a computer in their lab they were using to analyze the
DNA file." You can read their paper here.